If you want a little more information on how to test this exploit in a controlled environment.Head over to pauldotcomThe screencast is a little more “complete” then mine. I just wanted to prove a point.

With recent attacks on Google/Adobe and Yahoo (just to name a few) thanks to the Aurora exploit. Internet Explorer is something to be avoided at the moment. Unless you’re running version 5.01, I would suggest switching to FireFox for the time being. As far as I know, Microsoft has not released a patch for this one. Let’s hope they do.

As far as I can tell, and with a little info from exploit-db, remote code execution is only functional under Windows XP running Internet Explorer 6. That doesn’t mean newer versions of Internet Explorer are not effected… we just don’t know about it yet. IE 7/8 will crash under Windows XP, and the DEP under Vista/7 should stop the crash in time.

So it’s a good idea to listen to Microsoft and enable DEP and everything else under the sun to protect your system(s)… Especially now there’s another exploit that basically guarantees privilege escalation.

The Ring-Zero exploitIs the latest one, and let me tell you. I’ve tested this privilege escalation exploit on Windows XP sp2/xp3, Windows Server 2008 Enterprise and Windows 7. Dookie from exploit-db tested it on Windows Server 2003…We all got System shell… Not scared yet? You should be. You can read more about it in the link I provided just above.

Does this mean Windows is wide open at the moment? Should we close down the Internet and our corporate networks? Well even if that would be a great solution, it’s impossible. There is one way to protect one’s self (or help reduce the risk/damage). DON’T RELY ON JUST A FIREWALL! Let your network administrators install snort. Let them monitor inbound as well as outbound traffic. Don’t close your eyes and say “there’s no reason to get hacked.. we’re a small company” (of course this is more for any managers reading this). Like to meet the guy that said Linux is less secure now…

So good luck this week, and lets hope Microsoft comes up with something soon. I need to scare the pants off my boss tomorrow. Need to work on a nice scenario to really convince him…

Category: Uncategorized /
Tags: no tag / Comments Off on Happy new year

Happy new year ! (I know I’m late…)

Been a busy new year for me, which is basically a continuation of how 2009 finished. Either being sick or extremely busy at work and family life. Personal projects and other testing took a back seat unfortunately.Since I don’t have much of anything to write up, here’s part of SANS’ newsletter. One article, in m opinion, is worth reading. Skoudis’ comment is on the money. It’s too bad that the powers that be (management) probably never read this stuff… –Zero-Day IE Flaw Used in Attacks on Google, Adobe and Others(January 14, 2010)Attackers exploited a zero-day vulnerability in Internet Explorer (IE)to launch attacks on Adobe, Google and about 30 other US companies. Theflaw reportedly affects all versions of IE. Microsoft became aware ofthe vulnerability on January 13 and plans to issued an advisory onJanuary 14. The memory corruption vulnerability allows attackers toinject malware onto users’ computers. So far, the flaw has beenexploited only in targeted attacks. While there have been reports thatthe attackers also used maliciously crafted PDF files to launch theirattacks against the companies, now it is believed that only the IE flawwas used in the attacks.http://www.wired.com/threatlevel/2010/01/hack-of-adobhttp://www.theregister.co.uk/2010/01/14/cyber_assault_followup/http://www.computerworld.com/s/article/9144844/Hackers_used_IE_zero_day_not_PDF_in_China_Google_attacks?source=rss_securityMicrosoft advisory: http://www.microsoft.com/technet/security/advisory/979267.mspxStorm Center: http://isc.sans.org/diary.html?storyid=7993[Editor’s Note (Skoudis): The news this week about Google, China, andadvanced persistent threats illuminates an important change in security.The threatscape has been shifting from cyber crime to more insidiousattacks over the past couple of years, but in a way that didn’t garnera lot of attention. Until now. I think it’s a good thing to see folksfinally waking up to this issue, rather than pretending it doesn’texist.(Honan): This vulnerability when exploited uses the same user levels asthe logged on user; maybe it is time to convince your management andusers that they do not need local administrator access.]

On another note, Kioptrix will be tapping it’s first pod-cast this evening. Must warn you, it’s in French… It’s going to be available for download soon. Bare in mind, this is our first crack at this.

As always, visit us at kioptrix.com and check out our media section and VM download section. A few things are in the works that we hope people will enjoy. Also pretty soon, I’ll be moving this blog post to it’s new home permanently.